Hi, I have an unusual problem. I'm trying to double check that the fullchain matches the certificate before uploading it to load balancer (both files were generated by certbot). I keep getting the usual "unable to get issuer certificate" error. The thing is - my colleague is verifying the same two files, and everything is okay. She's using an older version of openssl on Linux. We can't figure out what's causing the different output.
===
I ran this command: openssl verify -CAfile fullchain.pem cert.pem
It produced this output:
cert.pem: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.39.0
Anyway, it should be compatible, but perhaps there are small differences.
fullchain.pem contains cert.pemandchain.pem in one file. Verification should be done using the certification doing the actual signing, which is chain.pem. So perhaps exchanging fullchain.pem with chain.pem in your command does the trick.
When you specified CAfile, it actually wants the root certificate for the certificate chain (which should be automatically included with Linux OSs, but have some trouble for Windows and MacOS).
When OpenSSL tried to connect to the server, it’ll try to build the certificate to an trust chain, which would ultimately goes to ISRG ROOT or Identrust root. However, when you specified fullchain.pem or even chain.pem, it doesn’t contain the root certificate (only either intermediate or leaf certificate, or both). In this case, as you’ve specified CAfile in the command, OpenSSL will not attempt to use your OS’s CA Trust store, and hence the “Unable to get issuer certificate” error occured.
To successfully test your certificate, you can try to run the command without CAfile option, or with the actual CA file located on https://letsencrypt.org/certificates/ . Try to use the Identrust certificate because I think the default chain still goes to Identrust CA.
